
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2019 08:17 AM
Hello SN Comm,
I want to see if anyone knows a good way to protect attachments that are attached to an HR Case form? Can it be locked to only the Assigned To (and maybe also certain users with a special role, etc.)?
Maybe even having to enter in a password when trying to view the attachment from the Case?? I feel like that idea is pretty far out there, but hey - ya never know what the system can to until you go through it and/ or ask!
Thank you,
-Rob
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2019 03:25 PM
Rob,
I see most of the replies have been to provide technical solutions within the HR Scoped app using ACLs.
I'm going to suggest another approach for you to think about. The HR Scoped App has an extra application "Employee Document Management". (https://docs.servicenow.com/bundle/london-hr-service-delivery/page/product/human-resources/concept/hr-employee-doc-management.html)
One of the key points with EDM is that it allows you to put security controls around documents associated with Employee's Profile (from cases, etc) via Document Types:
Use document types to:
- Associate a security policy. Security policies determine who can access employee documents and determine purge authorization.
- Associate a retention policy. Retention policies determine how long to keep a document and who the document is applicable to.
- Place a legal hold. Legal holds temporarily prevent document purging or changes to the document.-
- Allow access to employees.
- Configure employee documents to be moved automatically when an HR case is closed. Assign a topic detail associated with an HR service that has the Automatically move attachments box checked. See Configure an HR service.
Keep in mind EDM is an extra license cost.
Thanks,
Kevin

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2019 08:34 AM
You could create a Read ACL for sys_attachment. Using something similar to this.
if(current.table_name == 'hr_case'){
if(current.sys_created_by == gs.getUserName() || gs.hasRole('The Role you are looking for')){
return true;
}else{
return false;
}
}

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2019 08:50 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2019 08:52 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2019 08:53 AM
Yeah, that looks right.